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Chapter 1 

Introduction 



1.1 Purpose 

The purpose behind this document is to describe the features of ftkUpse, an 
extendable platform for computer forensics. This document will explain the 
product for the customer, as well as provide a detailed specification for the 
developer. 

1.2 Scope 

Ftklipse is a thick-client solution for forensics investigation. It allows to 
collect and preserve evidence, to analyze it and to report on it. 

It supports chain of custody management, access control policies and 
batch operation of its included tools in order to facilitate and accelerate the 
investigation. The environment itself and its tools are configurable as well. 

1.3 Definitions and Acronyms 

Cryptographic Hash Function Function mapping input data of an ar- 
bitrary size to a fixed-sized output that is highly collision resistant. 
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JVM The Java Virtual Machine. Program and framework allowing the 
execution of program developed using the Java programming language. 

GUI Graphical User Interface. 

1.4 Compliance 

This document was written based on |So98] . 



Chapter 2 

Overall Description 



2.1 Product Perspective 

• Ftklipse is meant to be a stand-alone product, depending on a variety 
of standard tools organized as plug-ins. 

• Ftklipse is meant to be extendable using plug- ins that will add evidence 
gathering and analysis properties 

• The product has only one interface, a graphical user interface residing 
on the client computer 

2.1.1 System interfaces 

The only interface to the system will be its GUI. 



2.1.2 User Interfaces 

Ftlipse implements a user interfaces that is evidence-centric. It offers wizards 
for each of its features for ease of use. It allows investigators to record 
notes for each piece of evidence as well as to record additional reporting 



information. Please refer to Figure 2.1 and Figure 2.2 for an example of the 
look and feel of the application. 



3 



CHAPTER 2. OVERALL DESCRIPTION 



3 d. 



c m m 

S o o 

^ E E 

O it t 

^ C E 



^ 1 < 



§ a a as I 



IB 



Figure 2.1: User Interface Showing the Case Introduction 
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Figure 2.2: User Interface Showing the Evidence Information and Notes 
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2.1.3 Software Interfaces 

The product must expose a software interface for plug-in developers to use. 
The interfaces provided must allow to: 

• Register the plug-in 

• Extend the Graphical User Interface's tool menus (window, pop-up, 
etc.) 

• Offer an interface for the plug-in to implement to allow callbacks en- 
abling execution 

2.2 Product Functions 

The system will implement the following functionalities: 

• Creation of cases 

• Evidence Gathering using integrated and plug-in tools 

• Evidence Integrity validation using a hash function 

• Evidence Import from any media to an existing case 

• Logging of all operations performed on the evidence 

• Validation of integrity of evidence after each operation over it 

• Display of evidence in read-only mode either in ASCII, Unicode or 
Hex formats 

• Recording of investigative notes for each piece of evidence 

• Capability to extract a part of the evidence into another file 

• Capability to copy and rename the copy of the evidence 
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• Generation of reports in PDF and WF^2e formats that includes listing 
of the evidence in the case, a printout of selected parts of the evidence, 
the investigative notes related to selected parts of the evidence and 
a customized executive summary, introduction, and conclusion. It 
also integrates the chain of custody information for each part of the 
evidence displaying the principal, time stamp and operation performed 
on the evidence. 

• An extendable set of tools through a plug-in architecture 

• Tool-specific defaults and configuration screens 

2.3 User Characteristics 

Users are cyber forensics investigators. They are experienced using existing 
sets of tools, and will be trained in the use of ftklipse before its deployment. 

Indirect users are investigators, prosecutors, judges and laypersons, which 
will consult the reports generated. They expect reports of high quality which 
demonstrate objectivity and methodology. 

2.4 Constraints 

2.4.1 Hcirdweire Constraints 

Any computer able to operate the Eclipse platform can be used to operate 
Ftklipse. 

2.4.2 Software Constraints 

It is assumed that the investigator's computer supports and includes the 
following programs: 

• JVM, version 5 or higher 

• M^jX2e, preferably pdflatex 
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Other tools are not assumed to be present, as they are integrated in each 
plug-in. 

In the case of using Ftklipse for evidence collection only, only the JVM 
is required. 

2.5 Assumptions and Dependencies 

The software assumes a non-hostile environment (i.e. not aiming at disturb- 
ing its operation) . 

2.6 Apportioning of requirements 

Some features are to be implemented in later versions of Ftklipse, notably: 

• Integration of the Access Control framework with administrator screens 

• I^T^jXoutput of reports 

• Object-specific logging 

• Hexadecimal and image display 

• Evidence Extraction 



Chapter 3 

Specific Requirements 



3.1 External Interfaces 

The product must expose a software interface for plug-in developers to use. 
The interfaces provided must allow to: 

• Register the plug-in 

• Extend the Graphical User Interface's tool menus (window, pop-up, 
etc.) 

• Offer an interface for the plug-in to implement to allow callbacks en- 
abling execution 



3.2 Functional Requirements 
3.2.1 Domain Model 

Our domain model is a traditional police investigation one, augmented with 
some information specific to cyber forensics and our requirements |Deb . It 
is summarized in Figure |3.1[ 



3.2.2 Use Case Model 



The use case model for Ftklipse is illustrated in Figure 3.2 
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Figure 3.1: Domain Model for Ftklipse 
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Figure 3.2: Use Case Diagram for Ftklipse 
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3.3 Requirements Description 
3.3.1 Creation of cases 

Description Ftklipse allows the creation of cases with their associated 



metadata, as specified in section 3.5 



Criticality This feature is critical to the software 



Technical Issues None 



Dependencies with Other Requirements None 

3.3.2 Evidence Gathering 

Description Ftklipse allows to run different tools in order to perform 
evidence collection on a live system. 

CriticaHty This feature is critical to the software. 

Technical Issues The collection of the output of the gathering tool can 
be problematic, considering the variety of tools and their working. The 
redirection of the tool's standard input and output in a manner useful to 
the investigator should be considered. 

Dependencies with Other Requirements None 

3.3.3 Evidence Analysis 

Description Ftklipse allows to run different tools on one or more selected 
evidences, as well as to operate a batch analysis. In the latter case, the 
system must offer a GUI to the user that allows the selection of the evidence 
and operations to perform on it. 
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Criticality The ability to analyze the evidence is critical. However, the 
automated analysis of multiple pieces of evidence is not critical. 

Technical Issues The development of a generic programming interface 
for the variety of analysis tools is likely to be complex. 

Dependencies with Other Requirements None 

3.3.4 Evidence Integrity Validation 

Description Ftklipsc records the SHA-1 signature of every piece of evi- 
dence and ensures that the evidence is kept correct during the investigation. 
In the case of a corruption of the evidence, Ftklipse detects it and records 
which operation caused this corruption. 

Criticality This feature is important to the operation of the software, 
although not critical. 

Technical Issues 

Dependencies with Other Requirements 

3.3.5 Evidence Import 

Description Ftklipse allows to import evidence that was collected outside 
of itself. The evidence must be accompanied by a SHA-1 digest that is 
correct in order to import the evidence in the system. 

Criticality This feature is important, although not critical. 

Technical Issues The encoding and format of the SHA-1 signature can 
vary from one tool to another. 

Dependencies with Other Requirements 
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3.3.6 Logging 

Description All operations arc logged globally by Ftklipsc. Furthermore, 
all operations related to a given piece of evidence are logged for that evidence 
specifically. 

Criticality The global logging is critical to Ftklipse. The specific logging 
is important, but not essential. 

Technical Issues 

Dependencies with Other Requirements 

3.3.7 Evidence Display 

Description The evidence can be visualized, if authorized, in read-only 
mode either in ASCII, Unicode or Hex formats. Furthermore, images can be 
viewed within Ftklipse and can be opened in an external viewer program. 

Criticality This function is critical to the operation of the software in 
ASCII. 

Technical Issues 

Dependencies with Other Requirements 

3.3.8 Recording of Investigative Notes 

Description The investigator must be able to record information regard- 
ing each piece of evidence, as well as report-specific information. 

Criticality This function is critical to the operation of Ftklipse. 



Technical Issues 
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Dependencies with Other Requirements 

3.3.9 Evidence Extraction 

Description The investigator must be able to select a subset of the viewed 
evidence and extract it into another file, which will then be treated as ev- 
idence itself. Ftklipse must record this operation and keep relationship in- 
formation in the database of evidence. 

Criticality This feature is of moderate importance. 

Technical Issues 

Dependencies with Other Requirements 

3.3.10 Evidence Cloning 

Description The investigator must be able to copy a piece of evidence in 
full and optionally to rename the copy. 

Criticality This feature is nice to have. 

Technical Issues 

Dependencies with Other Requirements 

3.3.11 Report Generation 

Description The investigator must be able to generate a report for a 
selected case that includes all evidence, their notes, as well as other report- 
specific data. The output formats can be PDF or MI^2e. 

Criticality This feature is critical. 

Technical Issues 
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Dependencies with Other Requirements 

3.3.12 Plug-in Architecture 

Description Ftklipse allows third-party developers to create plug-ins that 
can be added at configuration time by system administrators. 

Criticality This feature is critical. 

Technical Issues 

Dependencies with Other Requirements 

3.3.13 Access Control Management 

Description Ftklipse operates with an access control list for each case, 
piece of evidence, and report information. Each user must be authenticated 
and each operation must be authorized in the view of the user's access rights. 
Notably, the rights that must be implemented are: 

• View rights over a case or piece of evidence. This defines if the user 
is authorized to be aware of the existence of a given case or piece of 
evidence. 

• Read rights over a case or piece of evidence. This defines if the user, 
being previously granted view rights over the object, is able to read 
the case's information or visualize or operate on a piece of evidence. 

• Write rights over a case or piece of evidence. This defines if the user 
is authorized to add to the general case notes or the evidence notes. 
This also defines if the user is allowed to add evidence to a given case. 

By default, Ftklipse must offer default access rights based on the user's 
role, as well as default access rights for different categories of objects. 

Ftklipse must provide GUI tools to manage the both user and object 
rights. 
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Criticality This feature is important, not critical. 

Technical Issues The implementation of the access control algorithm can 
be complex. Furthermore, some administration functions (such as the im- 
pact of a redefinition of default rights) require some thought to ensure that 
no previously confidential information becomes publicly available. 

Dependencies with Other Requirements 

3.3.14 Tool-specific defaults and configuration screens 

Description Each tool is responsible to maintain its state, notably regard- 
ing its default settings which must be modifiable by the user and preserved 
from one run of ftklipse to another. 

Each tool must supply a screen that allows to set the proper parameters 
before the operation of the tool. 

Default options are to be used on direct invocation of the tool. 

Criticality This feature is important 
Technical Issues 

Dependencies with Other Requirements 

3.4 Performance Requirements 

Ftklipse does not have any particular performance requirements 

3.5 Logical Database Requirements 

A database is required in order to store the case management and chain of 
custody information. 

The database must be able to store: 
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• The relationship between parts of the evidence 

• The operations done on the evidence, including its time stamp, its 
description and the investigator that performed it. 

The information that must be tracked by the database is the following: 

• The case's meta-information (ID, details, description, timestamps, in- 
vestigators) 

• The case's evidence. 

• The user credentials. 

• The object access control lists. 

• The chain of custody over every piece of evidence. This includes the 
cryptographic hash sums, the operations performed on the evidence 
and the principal who performed it. 

3.6 Design Constraints 

The design must take in consideration that the base implementation lan- 
guage is Java. It also must take in consideration the different options of the 
tools that can be plugged into it. 

3.7 Software System Attributes 

In this section, we describe the non-functional attributes of Ftklipse. 

3.7.1 Security 

3.7.2 Reliability 

The software must behave correctly during 20 continuous hours of operation. 
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3.7.3 Availability 

There are no availability constraints. 

3.7.4 Maintainability 

The software must allow for tool plug-ins to be integrated automatically. 
The software must also be self-updatable. 

3.7.5 Portability 

The software must operate on POSIX and Windows systems. Tools inte- 
grated in the software must be adjusted accordingly. 
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